Advanced File Analysis System

Information Discovery

Reads data out of its own binary image Show sources

api_process_name	process: aa45509ac9b2d11e55784eddc52f966444d77099.exe, pid: 2308, offset: 0x00022471, length: 0x00001dd0
api_process_name	process: aa45509ac9b2d11e55784eddc52f966444d77099.exe, pid: 2308, offset: 0x0002428c, length: 0x0003a9da

Networking

Performs some HTTP requests Show sources

network_url

http://www.msftncsi.com/ncsi.txt

Malware Analysis System Evasion

Attempts to restart the guest VM Show sources

os_restart

InitiateSystemShutdownExW

Hooking and other Techniques for Hiding Protection

Creates RWX memory Show sources

injection_rwx_memory

0x00000040, NtAllocateVirtualMemory or VirtualProtectEx

Data Obfuscation

Drops a binary and executes it Show sources

file_dropped

C:\Users\user\AppData\Local\Temp\is-7GR0E.tmp\aa45509ac9b2d11e55784eddc52f966444d77099.tmp